threat hunting

Detecting NTLM Relay with Event Correlation

Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.

active-directoryevent-4624event-correlationldap-signingntlm-downgradentlm-relaypetitpotamresponder
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Authorized Testing Disclaimer: The offensive techniques and attack simulations described in this skill are intended exclusively for authorized penetration testing, red team engagements, purple team exercises, and security research conducted with explicit written permission from the system owner. Unauthorized use of these techniques against systems you do not own or have permission to test is illegal and unethical. Always operate within the scope of your engagement and comply with applicable laws and regulations.

Overview

NTLM relay attacks intercept NTLM authentication messages and forward them to a target service to gain unauthorized access. Attackers use tools like Responder for LLMNR/NBT-NS/mDNS poisoning, ntlmrelayx (Fox-IT/Impacket) for multi-protocol relay, and coercion techniques like PetitPotam (MS-EFSRPC) and DFSCoerce to force authentication from high-value targets like domain controllers. This skill provides a comprehensive event correlation framework using Windows Security Event 4624 LogonType 3 analysis, IP-to-hostname mismatch detection, Responder traffic identification, SMB/LDAP signing audit, and NTLM downgrade detection to identify relay attacks across Active Directory environments.

When to Use

  • Hunting for credential relay activity in Active Directory environments where NTLM authentication is still in use
  • Investigating alerts for authentication anomalies where the source IP does not match the expected workstation
  • Auditing SMB signing and LDAP signing enforcement to assess exposure to relay attacks
  • Detecting NTLM downgrade attacks where NTLMv2 is forced to NTLMv1 for easier offline cracking or relay
  • Building SIEM correlation rules for MITRE ATT&CK T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)
  • Responding to PetitPotam, DFSCoerce, or PrinterBug coercion alerts that may precede relay attacks
  • During purple team exercises validating NTLM relay detection and SMB signing enforcement

Do not use without centralized Windows Security Event Log collection, as a substitute for enforcing SMB signing and Extended Protection for Authentication (EPA) which prevent relay attacks at the protocol level, or without an IP-to-hostname inventory for correlation.

Prerequisites

  • Windows Advanced Audit Policy configured to capture Event IDs 4624, 4625, 4648, 4776, and 8004
  • Centralized log collection via Windows Event Forwarding (WEF) or agent-based shipping to SIEM
  • SIEM platform (Splunk, Elastic, Microsoft Sentinel) with correlation and alerting capability
  • IP address to hostname mapping inventory (DHCP logs, DNS records, or CMDB)
  • Network monitoring for LLMNR (UDP 5355), NBT-NS (UDP 137), and mDNS (UDP 5353) traffic
  • Understanding of MITRE ATT&CK T1557.001 and T1187 (Forced Authentication)

Workflow

Step 1: Understand NTLM Relay Attack Flow

The NTLM relay attack follows a three-phase pattern: coercion/poisoning, interception, and relay.

Phase 1 -- Coercion or Poisoning: The attacker forces or tricks a victim into initiating NTLM authentication. Methods include LLMNR/NBT-NS poisoning (Responder), PetitPotam (MS-EFSRPC abuse), PrinterBug (SpoolService), and DFSCoerce.

Phase 2 -- Interception: The attacker captures the NTLM Type 1 (Negotiate) and Type 3 (Authenticate) messages from the victim.

Phase 3 -- Relay: The attacker forwards the captured NTLM messages to a target service (SMB, LDAP, HTTP, MSSQL) to authenticate as the victim. This succeeds only when message signing is not enforced.

Victim ──NTLM Negotiate──> Attacker ──NTLM Negotiate──> Target
Victim <──NTLM Challenge── Attacker <──NTLM Challenge── Target
Victim ──NTLM Authenticate──> Attacker ──NTLM Authenticate──> Target

                                              Attacker authenticated
                                              as Victim on Target

Key Detection Insight: In a relay attack, Event 4624 on the target will show the victim's username but the attacker's IP address. The WorkstationName field may still reflect the victim's machine. This IP-to-hostname mismatch is the primary detection signal.

Step 2: Event 4624 LogonType 3 Analysis for Relay Detection

# Splunk: Detect IP-to-Hostname Mismatches in Network Logons
# Core NTLM relay detection -- correlates WorkstationName with IpAddress
 
index=wineventlog EventCode=4624 LogonType=3
    AuthenticationPackageName="NTLM" LmPackageName="NTLM V2"
| where TargetUserName != "ANONYMOUS LOGON"
    AND TargetUserName != "-"
    AND NOT match(TargetUserName, ".*\\$$")
| eval workstation_lower=lower(WorkstationName)
| lookup dns_inventory.csv hostname AS workstation_lower OUTPUT expected_ip
| where isnotnull(expected_ip) AND IpAddress != expected_ip
| table _time ComputerName TargetUserName WorkstationName IpAddress expected_ip
    LogonProcessName AuthenticationPackageName
| sort -_time
| rename ComputerName as TargetHost, IpAddress as ActualSourceIP,
    expected_ip as ExpectedSourceIP
# Splunk: Detect Rapid Multi-Host Authentication (Relay Spraying)
# Attackers relay captured credentials to multiple targets quickly
 
index=wineventlog EventCode=4624 LogonType=3
    AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
    AND NOT match(TargetUserName, ".*\\$$")
| bin _time span=2m
| stats dc(ComputerName) as target_count values(ComputerName) as targets
    values(IpAddress) as source_ips by _time TargetUserName
| where target_count > 3
| table _time TargetUserName source_ips target_count targets
| sort -target_count
# Splunk: Detect NTLM Authentication from Non-Workstation IPs
# Relay tools often run from Linux attack boxes not in DNS/DHCP inventory
 
index=wineventlog EventCode=4624 LogonType=3
    AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
    AND NOT match(TargetUserName, ".*\\$$")
| lookup dhcp_leases.csv ip AS IpAddress OUTPUT mac_address hostname
| where isnull(hostname)
| stats count dc(ComputerName) as targets_hit values(ComputerName) as target_hosts
    by IpAddress TargetUserName WorkstationName
| where count > 1
| table IpAddress TargetUserName WorkstationName targets_hit target_hosts count
| sort -targets_hit
-- Microsoft Sentinel KQL: NTLM Relay Detection via IP-Hostname Mismatch
 
let known_hosts = datatable(WorkstationName:string, ExpectedIP:string)
[
    // Populate from CMDB or use DeviceNetworkInfo table
];
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName !endswith "$"
| where TargetUserName != "ANONYMOUS LOGON"
| where IpAddress != "-" and IpAddress != "::1" and IpAddress != "127.0.0.1"
| extend WorkstationClean = toupper(trim_end(@"\s+", WorkstationName))
| join kind=inner (known_hosts) on WorkstationName
| where IpAddress != ExpectedIP
| project TimeGenerated, Computer, TargetUserName, WorkstationName,
    IpAddress, ExpectedIP, LogonProcessName, AuthenticationPackageName,
    LmPackageName
| sort by TimeGenerated desc
-- Microsoft Sentinel KQL: Rapid NTLM Authentication to Multiple Targets
 
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName !endswith "$"
| where TargetUserName != "ANONYMOUS LOGON"
| summarize TargetCount=dcount(Computer),
    Targets=make_set(Computer),
    SourceIPs=make_set(IpAddress),
    AuthCount=count()
    by TargetUserName, bin(TimeGenerated, 2m)
| where TargetCount > 3
| project TimeGenerated, TargetUserName, SourceIPs, TargetCount, Targets, AuthCount
| sort by TargetCount desc

Step 3: Responder Detection via Network and Event Analysis

# Splunk: Detect Responder LLMNR/NBT-NS Poisoning via Network Logs
# Responder answers LLMNR (UDP 5355) and NBT-NS (UDP 137) queries
 
index=network sourcetype=zeek_dns
| where query_type IN ("LLMNR", "NBNS")
    OR id.resp_p IN (5355, 137)
| stats dc(id.orig_h) as victims count by id.resp_h answers
| where count > 10
| rename id.resp_h as responder_ip
| table responder_ip victims answers count
| sort -count
# Splunk: Detect LLMNR/NBT-NS Response from Non-DNS Servers
# Legitimate DNS servers respond to these; Responder impersonates them
 
index=network sourcetype="bro:dns:json" OR sourcetype="zeek:conn:json"
| where id_resp_p=5355 OR id_resp_p=137
| where NOT cidrmatch("10.10.0.0/24", id_resp_h)
| stats count dc(id_orig_h) as unique_victims by id_resp_h
| where unique_victims > 3
| table id_resp_h unique_victims count
| rename id_resp_h as suspicious_responder
# PowerShell: Detect LLMNR and NBT-NS activity on local network
# Run on a monitoring host to identify Responder-like behavior
 
# Check if LLMNR is disabled (should be disabled to prevent poisoning)
$llmnr = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
    -Name "EnableMulticast" -ErrorAction SilentlyContinue
Write-Host "[*] LLMNR Status: $(if ($llmnr.EnableMulticast -eq 0) { 'DISABLED (Good)' } else { 'ENABLED (Vulnerable to Responder)' })"
 
# Check if NBT-NS is disabled
$adapters = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True"
foreach ($adapter in $adapters) {
    $nbtns = $adapter.TcpipNetbios
    $status = switch ($nbtns) {
        0 { "Default (Enabled)" }
        1 { "Enabled" }
        2 { "Disabled (Good)" }
    }
    Write-Host "[*] Adapter '$($adapter.Description)' NBT-NS: $status"
}
 
# Query Windows Firewall logs for LLMNR/NBT-NS traffic
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" `
    -MaxEvents 1000 -ErrorAction SilentlyContinue |
    Where-Object {
        $_.Message -match "5355|137" -and $_.Message -match "UDP"
    } |
    Select-Object TimeCreated, @{N='Detail';E={$_.Message.Substring(0,200)}} |
    Format-Table -AutoSize
# Sigma Rule: Responder LLMNR/NBT-NS Poisoning Detection
title: Potential Responder LLMNR/NBT-NS Poisoning Activity
id: 7a8b9c0d-e1f2-3a4b-5c6d-7e8f9a0b1c2d
status: stable
description: >
  Detects a single host responding to LLMNR (UDP 5355) or NBT-NS (UDP 137)
  queries from multiple unique sources, indicating possible Responder poisoning.
references:
    - https://www.hackthebox.com/blog/ntlm-relay-attack-detection
    - https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 5355
            - 137
        action: allow
    condition: selection | count(src_ip) by dst_ip > 5
    timeframe: 5m
level: high
tags:
    - attack.credential_access
    - attack.t1557.001
falsepositives:
    - Legitimate WINS servers or DNS servers responding to broadcast queries
    - Network discovery tools performing name resolution

Step 4: SMB Signing Enforcement Audit

# PowerShell: Audit SMB Signing Status Across Domain
# SMB signing prevents NTLM relay to SMB services
 
# Check local SMB signing configuration
Write-Host "=== LOCAL SMB SIGNING STATUS ==="
$smbServer = Get-SmbServerConfiguration
Write-Host "[*] SMB Server RequireSecuritySignature: $($smbServer.RequireSecuritySignature)"
Write-Host "[*] SMB Server EnableSecuritySignature: $($smbServer.EnableSecuritySignature)"
 
$smbClient = Get-SmbClientConfiguration
Write-Host "[*] SMB Client RequireSecuritySignature: $($smbClient.RequireSecuritySignature)"
Write-Host "[*] SMB Client EnableSecuritySignature: $($smbClient.EnableSecuritySignature)"
 
# Check via registry (works on older systems)
$serverSigning = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" `
    -Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
$clientSigning = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters" `
    -Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
 
Write-Host "`n=== REGISTRY VALUES ==="
Write-Host "[*] Server RequireSecuritySignature: $($serverSigning.RequireSecuritySignature) (1=Required, 0=Not Required)"
Write-Host "[*] Client RequireSecuritySignature: $($clientSigning.RequireSecuritySignature) (1=Required, 0=Not Required)"
# PowerShell: Domain-Wide SMB Signing Audit
# Scan all domain computers for SMB signing enforcement
 
$domainComputers = Get-ADComputer -Filter * -Properties OperatingSystem |
    Where-Object { $_.OperatingSystem -like "*Windows*" -and $_.Enabled -eq $true } |
    Select-Object -ExpandProperty DNSHostName
 
$results = @()
foreach ($computer in $domainComputers) {
    try {
        $session = New-CimSession -ComputerName $computer -ErrorAction Stop
        $smbConfig = Get-SmbServerConfiguration -CimSession $session -ErrorAction Stop
        $results += [PSCustomObject]@{
            Computer = $computer
            RequireSigning = $smbConfig.RequireSecuritySignature
            EnableSigning = $smbConfig.EnableSecuritySignature
            Status = if ($smbConfig.RequireSecuritySignature) { "ENFORCED" } else { "VULNERABLE" }
        }
        Remove-CimSession $session
    } catch {
        $results += [PSCustomObject]@{
            Computer = $computer
            RequireSigning = "ERROR"
            EnableSigning = "ERROR"
            Status = "UNREACHABLE"
        }
    }
}
 
# Display results sorted by vulnerability
$results | Sort-Object Status | Format-Table -AutoSize
 
# Export vulnerable hosts
$vulnerable = $results | Where-Object { $_.Status -eq "VULNERABLE" }
Write-Host "`n[!] VULNERABLE HOSTS (SMB Signing Not Required): $($vulnerable.Count)"
$vulnerable | Export-Csv -Path "smb_signing_audit.csv" -NoTypeInformation
# PowerShell: Audit LDAP Signing Status on Domain Controllers
# LDAP signing prevents NTLM relay to LDAP/LDAPS services
 
# Check LDAP signing requirement on domain controllers
$dcs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
 
foreach ($dc in $dcs) {
    # Check LDAP server signing requirement
    $ldapSigning = Invoke-Command -ComputerName $dc -ScriptBlock {
        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
        $value = Get-ItemProperty -Path $regPath -Name "LDAPServerIntegrity" -ErrorAction SilentlyContinue
        return $value.LDAPServerIntegrity
    } -ErrorAction SilentlyContinue
 
    $status = switch ($ldapSigning) {
        0 { "NONE (Vulnerable)" }
        1 { "Negotiate Signing (Default - Vulnerable to relay)" }
        2 { "Require Signing (Secure)" }
        default { "Unknown/Error" }
    }
    Write-Host "[*] $dc LDAP Signing: $status"
 
    # Check LDAP channel binding
    $channelBinding = Invoke-Command -ComputerName $dc -ScriptBlock {
        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
        $value = Get-ItemProperty -Path $regPath -Name "LdapEnforceChannelBinding" -ErrorAction SilentlyContinue
        return $value.LdapEnforceChannelBinding
    } -ErrorAction SilentlyContinue
 
    $cbStatus = switch ($channelBinding) {
        0 { "Disabled (Vulnerable)" }
        1 { "When Supported" }
        2 { "Always Required (Secure)" }
        default { "Not Configured (Vulnerable)" }
    }
    Write-Host "[*] $dc LDAP Channel Binding: $cbStatus"
}
# Splunk: Monitor for SMB sessions without signing
# Requires Zeek SMB logging or packet capture analysis
 
index=network sourcetype="zeek:smb_mapping:json" OR sourcetype="bro:smb_mapping:json"
| where NOT security_mode="signing_required"
| stats count dc(id_orig_h) as unique_clients by id_resp_h security_mode
| sort -unique_clients
| rename id_resp_h as smb_server
| table smb_server security_mode unique_clients count

Step 5: NTLM Downgrade Detection

# Splunk: Detect NTLMv1 Authentication (Downgrade from NTLMv2)
# NTLMv1 is weaker and easier to relay/crack -- should not be in use
 
index=wineventlog EventCode=4624 LogonType=3
    LmPackageName="NTLM V1"
| where TargetUserName != "ANONYMOUS LOGON"
    AND NOT match(TargetUserName, ".*\\$$")
| stats count values(ComputerName) as targets
    values(IpAddress) as source_ips
    by TargetUserName LmPackageName
| table TargetUserName LmPackageName source_ips targets count
| sort -count
# Splunk: Detect NTLM Downgrade Attack Pattern
# NTLMv1 appearing after a period of only NTLMv2 suggests active downgrade
 
index=wineventlog EventCode=4624 LogonType=3
    AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
| bin _time span=1h
| stats count(eval(LmPackageName="NTLM V1")) as ntlmv1_count
    count(eval(LmPackageName="NTLM V2")) as ntlmv2_count
    by _time
| where ntlmv1_count > 0
| eval ntlmv1_ratio = round(ntlmv1_count / (ntlmv1_count + ntlmv2_count) * 100, 2)
| table _time ntlmv1_count ntlmv2_count ntlmv1_ratio
| sort -_time
-- Microsoft Sentinel KQL: NTLMv1 Downgrade Detection
 
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where LmPackageName == "NTLM V1"
| where TargetUserName !endswith "$"
| where TargetUserName != "ANONYMOUS LOGON"
| project TimeGenerated, Computer, TargetUserName, WorkstationName,
    IpAddress, LmPackageName, LogonProcessName
| sort by TimeGenerated desc
# PowerShell: Detect NTLMv1 Authentication Events on Local System
 
$ntlmv1Events = Get-WinEvent -LogName Security -FilterXPath @"
*[System[(EventID=4624)]]
 and
*[EventData[Data[@Name='LmPackageName']='NTLM V1']]
"@ -MaxEvents 500 -ErrorAction SilentlyContinue
 
if ($ntlmv1Events.Count -gt 0) {
    Write-Host "[!] WARNING: $($ntlmv1Events.Count) NTLMv1 authentication events detected!" -ForegroundColor Red
    $ntlmv1Events | ForEach-Object {
        $xml = [xml]$_.ToXml()
        $eventData = $xml.Event.EventData.Data
        [PSCustomObject]@{
            Time         = $_.TimeCreated
            TargetUser   = ($eventData | Where-Object { $_.Name -eq "TargetUserName" }).'#text'
            Workstation  = ($eventData | Where-Object { $_.Name -eq "WorkstationName" }).'#text'
            SourceIP     = ($eventData | Where-Object { $_.Name -eq "IpAddress" }).'#text'
            LmPackage    = ($eventData | Where-Object { $_.Name -eq "LmPackageName" }).'#text'
        }
    } | Format-Table -AutoSize
} else {
    Write-Host "[+] No NTLMv1 authentication events found (Good)" -ForegroundColor Green
}
 
# Audit GPO settings for NTLM restriction
Write-Host "`n=== NTLM RESTRICTION POLICY ==="
$ntlmPolicy = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
    -Name "LmCompatibilityLevel" -ErrorAction SilentlyContinue
 
$level = switch ($ntlmPolicy.LmCompatibilityLevel) {
    0 { "Send LM & NTLM responses (Most Vulnerable)" }
    1 { "Send LM & NTLM - use NTLMv2 session security if negotiated" }
    2 { "Send NTLM response only" }
    3 { "Send NTLMv2 response only (Recommended minimum)" }
    4 { "Send NTLMv2 response only, refuse LM" }
    5 { "Send NTLMv2 response only, refuse LM & NTLM (Most Secure)" }
    default { "Not configured (defaults to 3 on modern Windows)" }
}
Write-Host "[*] LmCompatibilityLevel: $($ntlmPolicy.LmCompatibilityLevel) - $level"

Step 6: NTLM Audit and Restriction Policy Configuration

# PowerShell: Enable NTLM Auditing via Group Policy Registry Settings
# Must be applied via GPO for domain-wide coverage
 
# Audit all NTLM authentication in this domain
# GPO: Computer Configuration > Policies > Windows Settings > Security Settings >
#      Local Policies > Security Options >
#      Network Security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
 
# Registry equivalent (apply via GPO preferences or startup script)
# Domain Controller setting:
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
#     -Name "AuditNTLMInDomain" -Value 7 -Type DWord
 
# Audit incoming NTLM traffic on all servers:
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
#     -Name "AuditReceivingNTLMTraffic" -Value 2 -Type DWord
 
# After enabling auditing, NTLM events appear in:
# Applications and Services Logs > Microsoft > Windows > NTLM > Operational
 
# Query NTLM operational log for audit events
Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" -MaxEvents 200 -ErrorAction SilentlyContinue |
    Where-Object { $_.Id -in @(8001, 8002, 8003, 8004) } |
    Select-Object TimeCreated, Id,
        @{N='EventType'; E={
            switch ($_.Id) {
                8001 { "NTLM client blocked audit" }
                8002 { "NTLM server blocked audit" }
                8003 { "NTLM server blocked in domain" }
                8004 { "NTLM authentication to DC audit" }
            }
        }},
        @{N='Detail'; E={$_.Message.Substring(0, [Math]::Min(300, $_.Message.Length))}} |
    Format-Table -AutoSize
# Splunk: Monitor NTLM Audit Events (Event ID 8004)
# Shows all NTLM authentications passing through domain controllers
 
index=wineventlog source="WinEventLog:Microsoft-Windows-NTLM/Operational"
    EventCode=8004
| rex field=Message "Calling client name:\s+(?<client_name>[^\r\n]+)"
| rex field=Message "Calling client IP:\s+(?<client_ip>[^\r\n]+)"
| rex field=Message "Server name:\s+(?<server_name>[^\r\n]+)"
| stats count dc(server_name) as unique_servers by client_name client_ip
| sort -count
| table client_name client_ip unique_servers count

Step 7: PetitPotam and Coercion Attack Detection

# Splunk: Detect PetitPotam / EFSCoerce Attack
# Monitor for machine account NTLM authentications relayed to other services
 
index=wineventlog EventCode=4624 LogonType=3
    AuthenticationPackageName="NTLM"
    TargetUserName="*$"
| where match(TargetUserName, "^[A-Z0-9\\-]+\\$$")
| eval is_dc = if(match(TargetUserName, "(DC|DCSERVER|DOMCTRL)"), "Yes", "No")
| where IpAddress != "127.0.0.1" AND IpAddress != "::1"
| stats count values(ComputerName) as target_hosts
    values(IpAddress) as source_ips by TargetUserName
| where count > 2 OR mvcount(source_ips) > 1
| table TargetUserName source_ips target_hosts count
| sort -count
-- Microsoft Sentinel KQL: PetitPotam / Coercion Attack Detection
-- Detects domain controller machine account authenticating from unexpected IPs
 
let dc_accounts = SecurityEvent
| where EventID == 4624 and LogonType == 3
| where TargetUserName endswith "$"
| where Computer startswith "DC"
| distinct TargetUserName;
 
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName in (dc_accounts)
| where IpAddress != "127.0.0.1" and IpAddress != "::1"
| extend SourceHostExpected = iff(
    Computer == replace_string(TargetUserName, "$", ""), true, false)
| where SourceHostExpected == false
| project TimeGenerated, Computer, TargetUserName, IpAddress,
    WorkstationName, LogonProcessName, AuthenticationPackageName
| sort by TimeGenerated desc
# Sigma Rule: NTLM Relay - Computer Account Authentication from Unexpected Source
title: Potential NTLM Relay of Computer Account Credentials
id: 5e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0b
status: stable
description: >
  Detects a computer account (ending in $) authenticating via NTLM LogonType 3
  where the source IP does not match the computer's known IP, indicating possible
  NTLM relay of coerced machine authentication (PetitPotam, DFSCoerce, PrinterBug).
references:
    - https://www.crowdstrike.com/en-us/blog/how-to-detect-domain-controller-account-relay-attacks-with-crowdstrike-identity-protection/
    - https://www.fox-it.com/nl-en/research-blog/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/
    - https://www.nccgroup.com/research-blog/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        AuthenticationPackageName: NTLM
        TargetUserName|endswith: '$'
    filter_localhost:
        IpAddress:
            - '127.0.0.1'
            - '::1'
            - '-'
    condition: selection and not filter_localhost
level: high
tags:
    - attack.credential_access
    - attack.t1557.001
    - attack.t1187
falsepositives:
    - Legitimate NTLM authentication from machine accounts during failover
    - Cluster service machine account authentication

Step 8: Build Comprehensive Correlation Dashboard

# Splunk: NTLM Relay Detection Dashboard -- Combined Correlation Query
 
# Panel 1: IP-Hostname Mismatches (Core Relay Indicator)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON" AND NOT match(TargetUserName, ".*\\$$")
| eval mismatch=if(lower(WorkstationName) != lower(mvindex(split(IpAddress, "."), 0)),
    "POSSIBLE_MISMATCH", "OK")
| where mismatch="POSSIBLE_MISMATCH"
| stats count by TargetUserName WorkstationName IpAddress ComputerName
 
# Panel 2: NTLMv1 Downgrade Events
index=wineventlog EventCode=4624 LmPackageName="NTLM V1"
| timechart span=1h count by ComputerName
 
# Panel 3: Machine Account Relay (PetitPotam Indicator)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
    TargetUserName="*$"
| stats count values(IpAddress) as relay_sources by TargetUserName ComputerName
 
# Panel 4: NTLM Authentication Volume Anomaly
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
| timechart span=15m count
| streamstats window=20 avg(count) as avg_count stdev(count) as stdev_count
| eval upper_bound=avg_count + (3 * stdev_count)
| where count > upper_bound
 
# Panel 5: SMB Signing Status (from audit results)
| inputlookup smb_signing_audit.csv
| stats count by Status
| table Status count

Key Concepts

Term Definition
NTLM Relay (T1557.001) Attack that intercepts NTLM authentication messages and forwards them to a target service, authenticating as the victim without knowing their password
Event 4624 LogonType 3 Windows Security Event for successful network logon -- the primary event generated on relay targets; source IP field reveals the relay attacker's address
IP-Hostname Mismatch When Event 4624 WorkstationName field does not correspond to the IpAddress field, indicating the authentication was relayed through a third party
Responder Attack tool that poisons LLMNR (UDP 5355), NBT-NS (UDP 137), and mDNS (UDP 5353) responses to capture NTLM authentication from victims on the local network
ntlmrelayx Fox-IT/Impacket tool that relays captured NTLM authentication to SMB, LDAP, HTTP, MSSQL, and other protocols to gain unauthorized access
SMB Signing Cryptographic signing of SMB packets that prevents relay attacks against SMB services; must be set to "Required" (not just "Enabled") for protection
LDAP Signing Cryptographic signing of LDAP operations that prevents relay attacks against LDAP services on domain controllers; controlled by LDAPServerIntegrity registry value
LDAP Channel Binding Extended Protection for Authentication (EPA) that binds the NTLM authentication to the TLS channel, preventing relay to LDAPS
NTLMv1 Downgrade Attack forcing authentication from NTLMv2 to the weaker NTLMv1 protocol, which is easier to crack offline and has weaker relay protections
PetitPotam Coercion technique abusing MS-EFSRPC to force a domain controller to authenticate to an attacker-controlled host, enabling relay to AD CS or LDAP
LmCompatibilityLevel Registry setting controlling which NTLM version is used; value of 5 (Send NTLMv2 only, refuse LM and NTLM) provides strongest protection
Event 8004 NTLM operational log event on domain controllers showing all NTLM authentication pass-through, critical for auditing NTLM usage before restriction

Tools & Systems

Tool Purpose
Splunk / Elastic SIEM Log aggregation and correlation for Event 4624 analysis, IP-hostname mismatch detection, and NTLM downgrade monitoring
Microsoft Sentinel Cloud SIEM with KQL queries for NTLM relay detection and built-in analytics rules for PetitPotam
CrowdStrike Falcon Identity Protection Detects NTLM relay attacks against domain controller accounts regardless of coercion method used
Responder LLMNR/NBT-NS/mDNS poisoning tool used by attackers -- understanding its behavior is essential for detection
ntlmrelayx (Impacket) Multi-protocol NTLM relay tool developed by Fox-IT -- used in testing and by adversaries
PingCastle Active Directory security assessment tool that audits SMB signing, LDAP signing, and NTLM configuration
Zeek Network security monitor for capturing SMB signing negotiation, LLMNR traffic, and DCE-RPC activity
Sigma Vendor-agnostic detection rule format for portable NTLM relay detection rules

Common Scenarios

Scenario 1: Responder Poisoning with NTLM Relay to File Server

Context: A SOC analyst observes multiple Event 4624 LogonType 3 entries on a file server (10.10.20.100) where the WorkstationName field shows different workstation names but the IpAddress field consistently shows 10.10.5.50, a host not in the IT asset inventory.

Approach:

  1. Query Event 4624 on 10.10.20.100 filtered for IpAddress=10.10.5.50: find 15 successful NTLM logons in 30 minutes from 8 different user accounts
  2. Cross-reference 10.10.5.50 with DHCP logs and DNS: host is not a registered domain member, MAC address shows a Linux-based NIC
  3. Query Zeek network logs for 10.10.5.50: identify LLMNR responses (UDP 5355) to multiple workstations and SMB connections to 10.10.20.100
  4. Confirm IP-hostname mismatch: WorkstationName values (WS-FINANCE01, WS-HR03, etc.) all resolve to different IPs in DNS, not 10.10.5.50
  5. Check SMB signing on 10.10.20.100: RequireSecuritySignature is False, enabling the relay attack
  6. Contain: block 10.10.5.50 at the switch, force password reset for all 8 affected accounts, enable SMB signing on the file server
  7. Remediate: disable LLMNR and NBT-NS via GPO, enforce SMB signing domain-wide

Pitfalls:

  • Dismissing the multiple logons as normal network activity without checking the IP-hostname correlation
  • Not checking SMB signing status on the target server to understand why the relay succeeded
  • Only resetting the password for one user instead of all accounts that were relayed

Scenario 2: PetitPotam Relay to AD Certificate Services

Context: During a threat hunt, an analyst finds Event 4624 LogonType 3 on the AD CS server (ADCS01) showing the domain controller machine account (DC01$) authenticating via NTLM from IP 10.10.5.50, which is not the DC's IP address (10.10.1.10).

Approach:

  1. Confirm the anomaly: DC01$ should only authenticate from 10.10.1.10, but Event 4624 shows authentication from 10.10.5.50 via NTLM (not Kerberos)
  2. Check for certificate enrollment: query AD CS logs for certificate requests from DC01$ around the same timestamp -- find a certificate issued for DC01$
  3. Identify the attack: PetitPotam coerced DC01 to authenticate to 10.10.5.50, which relayed the authentication to ADCS01 to request a certificate for DC01$
  4. Assess impact: with a DC certificate, the attacker can authenticate as DC01$ and perform DCSync to extract all domain credentials
  5. Revoke the fraudulently issued certificate immediately
  6. Check for DCSync activity: query Event 4662 for directory replication from non-DC sources
  7. Contain: isolate 10.10.5.50, revoke certificate, patch EFS (MS-EFSRPC), enforce EPA on AD CS, require LDAP signing on all DCs

Pitfalls:

  • Not recognizing that machine account NTLM authentication from an unexpected IP is a critical indicator of coercion + relay
  • Failing to check AD CS for fraudulent certificate issuance, which represents the actual objective of the attack
  • Not auditing LDAP signing and EPA on AD CS servers, which would have prevented the relay

Output Format

Hunt ID: TH-NTLM-RELAY-[DATE]-[SEQ]
Alert Severity: Critical
MITRE Technique: T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)
 
Relay Indicators:
  Victim Account: [Domain\Username or Machine$]
  WorkstationName: [Victim hostname from Event 4624]
  Expected Source IP: [IP matching WorkstationName in DNS/DHCP]
  Actual Source IP: [Attacker/relay IP from Event 4624 IpAddress field]
  Target Host: [Server receiving the relayed authentication]
 
Authentication Details:
  Event ID: 4624
  LogonType: 3 (Network)
  AuthenticationPackage: NTLM
  LmPackageName: [NTLM V1 or NTLM V2]
  LogonProcess: [NtLmSsp]
  Timestamp: [Event time]
 
Signing Status:
  Target SMB Signing: [Required/Not Required]
  Target LDAP Signing: [Required/Not Required]
  LDAP Channel Binding: [Required/Not Required]
 
Poisoning Evidence:
  LLMNR Activity: [Detected/Not Detected from relay IP]
  NBT-NS Activity: [Detected/Not Detected from relay IP]
  Coercion Method: [PetitPotam/DFSCoerce/PrinterBug/Unknown]
 
Risk Assessment: [Critical - relay from DC / High - relay from user account]
Recommended Actions:
  - Immediate: [Block relay IP, reset affected credentials]
  - Short-term: [Enable SMB/LDAP signing, disable LLMNR/NBT-NS]
  - Long-term: [Migrate to Kerberos, enforce EPA, restrict NTLM via GPO]
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md7.2 KB

NTLM Relay Detection API Reference

MITRE ATT&CK Mapping

Technique ID Description
LLMNR/NBT-NS Poisoning and SMB Relay T1557.001 Poisoning name resolution to capture and relay NTLM auth
Forced Authentication T1187 Coercing systems to authenticate (PetitPotam, PrinterBug)
Adversary-in-the-Middle T1557 Parent technique for relay and poisoning attacks
Exploitation for Credential Access T1212 Exploiting protocol weaknesses for credential theft

Windows Security Event IDs for NTLM Relay Detection

Event ID Log Relay Significance
4624 (Type 3) Security Network logon -- primary relay detection event. Check IP vs WorkstationName
4625 Security Failed logon -- relay failures leave traces here
4648 Security Explicit credential logon -- may appear in some relay scenarios
4776 Security NTLM credential validation on domain controller
8001 NTLM Operational NTLM client blocked audit
8002 NTLM Operational NTLM server blocked audit
8003 NTLM Operational NTLM server blocked in domain
8004 NTLM Operational NTLM authentication to DC audit (critical for inventory)

Event 4624 Key Fields for Relay Detection

Field Normal Value Relay Indicator
LogonType 3 Always 3 for network relay
AuthenticationPackageName NTLM Must be NTLM (Kerberos cannot be relayed)
LmPackageName NTLM V2 NTLM V1 indicates downgrade attack
WorkstationName Victim hostname Name of victim machine (not the relay host)
IpAddress Victim IP Attacker/relay IP (MISMATCH = relay indicator)
LogonProcessName NtLmSsp Standard for NTLM logon
ImpersonationLevel Delegation/Impersonation High privilege relay

SMB Signing Registry Keys

Registry Path Value Secure Setting
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature REG_DWORD 1 (Required)
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature REG_DWORD 1 (Enabled)
HKLM\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature REG_DWORD 1 (Required)

LDAP Signing Registry Keys (Domain Controllers)

Registry Path Value Meaning
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity 0 None (Vulnerable)
1 Negotiate (Default - Vulnerable)
2 Required (Secure)
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding 0 Disabled (Vulnerable)
1 When Supported
2 Always Required (Secure)

NTLM Configuration Registry Keys

Registry Path Value Meaning
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel 0 Send LM & NTLM (Most Vulnerable)
1 Send LM & NTLM, NTLMv2 session if negotiated
2 Send NTLM only
3 Send NTLMv2 only (Recommended minimum)
4 Send NTLMv2 only, refuse LM
5 Send NTLMv2 only, refuse LM & NTLM (Most Secure)
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast 0 LLMNR Disabled (Secure)
1 LLMNR Enabled (Vulnerable to Responder)

Network Indicators

Protocol Port Attack Role
UDP 5355 LLMNR -- Responder poisoning target
UDP 137 NBT-NS -- Responder poisoning target
UDP 5353 mDNS -- Responder poisoning target
TCP 445 SMB -- relay target (if signing not enforced)
TCP 389 LDAP -- relay target (if signing not enforced)
TCP 636 LDAPS -- relay target (if channel binding not enforced)
TCP 80/443 HTTP(S) -- relay target for AD CS enrollment
TCP 135 RPC -- used for coercion (PetitPotam, PrinterBug)

Coercion Methods

Method Protocol Vulnerability Target
PetitPotam MS-EFSRPC CVE-2021-36942 Domain controllers -> AD CS
DFSCoerce MS-DFSNM N/A Domain controllers
PrinterBug (SpoolSample) MS-RPRN By design Any host with Print Spooler
ShadowCoerce MS-FSRVP N/A Hosts with File Server VSS Agent

Splunk SPL - NTLM Relay Detection Queries

# IP-hostname mismatch detection
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
| lookup dns_inventory hostname AS WorkstationName OUTPUT expected_ip
| where isnotnull(expected_ip) AND IpAddress != expected_ip
| table _time ComputerName TargetUserName WorkstationName IpAddress expected_ip
 
# NTLMv1 downgrade detection
index=wineventlog EventCode=4624 LmPackageName="NTLM V1"
| where TargetUserName != "ANONYMOUS LOGON"
| stats count by TargetUserName IpAddress ComputerName
 
# Machine account relay (PetitPotam indicator)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
    TargetUserName="*$"
| stats dc(IpAddress) as source_count values(IpAddress) as sources by TargetUserName
| where source_count > 1

KQL - Microsoft Sentinel Queries

// NTLM relay IP-hostname mismatch
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName !endswith "$" and TargetUserName != "ANONYMOUS LOGON"
| where IpAddress != "-" and IpAddress != "127.0.0.1"
| project TimeGenerated, Computer, TargetUserName, WorkstationName, IpAddress, LmPackageName
 
// NTLMv1 downgrade detection
SecurityEvent
| where EventID == 4624 and LmPackageName == "NTLM V1"
| where TargetUserName !endswith "$"
| summarize Count=count() by TargetUserName, IpAddress, Computer

python-evtx - Parse Security EVTX

from Evtx.Evtx import FileHeader
from lxml import etree
 
NS = {"evt": "http://schemas.microsoft.com/win/2004/08/events/event"}
with open("Security.evtx", "rb") as f:
    fh = FileHeader(f)
    for record in fh.records():
        root = etree.fromstring(record.xml().encode("utf-8"))
        eid = root.find(".//evt:System/evt:EventID", NS)
        if eid is not None and eid.text == "4624":
            data = {e.get("Name"): e.text for e in root.findall(".//evt:EventData/evt:Data", NS)}
            if data.get("AuthenticationPackageName") == "NTLM" and data.get("LogonType") == "3":
                print(data.get("TargetUserName"), data.get("WorkstationName"), data.get("IpAddress"))

References

Scripts 3

agent.py14.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""NTLM Relay Detection Agent - Detects NTLM relay via Event 4624 correlation and signing audit."""

import json
import logging
import argparse
import csv
import os
import sys
import subprocess
from collections import defaultdict
from datetime import datetime, timedelta

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

EVTX_NS = "http://schemas.microsoft.com/win/2004/08/events/event"
RAPID_AUTH_WINDOW_DEFAULT = 120
RAPID_AUTH_THRESHOLD_DEFAULT = 3
SUBPROCESS_TIMEOUT = 30


def parse_security_evtx(evtx_path):
    """Parse Windows Security EVTX for Event 4624/4625/4776."""
    try:
        from Evtx.Evtx import FileHeader
        from lxml import etree
    except ImportError:
        logger.error("Required packages missing. Install: pip install python-evtx lxml")
        sys.exit(1)

    events = []
    target_ids = {"4624", "4625", "4776"}
    ns = {"evt": EVTX_NS}
    with open(evtx_path, "rb") as f:
        fh = FileHeader(f)
        for record in fh.records():
            try:
                xml = record.xml()
                root = etree.fromstring(xml.encode("utf-8"))
                eid_elem = root.find(".//evt:System/evt:EventID", ns)
                if eid_elem is None or eid_elem.text not in target_ids:
                    continue
                data = {}
                for elem in root.findall(".//evt:EventData/evt:Data", ns):
                    data[elem.get("Name", "")] = elem.text or ""
                time_elem = root.find(".//evt:System/evt:TimeCreated", ns)
                data["TimeCreated"] = time_elem.get("SystemTime", "") if time_elem is not None else ""
                comp_elem = root.find(".//evt:System/evt:Computer", ns)
                data["Computer"] = comp_elem.text if comp_elem is not None else ""
                data["EventID"] = eid_elem.text
                events.append(data)
            except Exception:
                continue
    logger.info("Parsed %d security events from %s", len(events), evtx_path)
    return events


def load_inventory(csv_path):
    """Load hostname-to-IP inventory from CSV (columns: hostname, ip_address)."""
    inventory = {}
    try:
        with open(csv_path, "r", newline="") as f:
            reader = csv.DictReader(f)
            for row in reader:
                hostname = row.get("hostname", "").strip().upper()
                ip = row.get("ip_address", "").strip()
                if hostname and ip:
                    inventory[hostname] = ip
    except Exception as e:
        logger.error("Failed to load inventory: %s", e)
    logger.info("Loaded %d hosts from inventory", len(inventory))
    return inventory


def detect_ip_hostname_mismatch(events, inventory):
    """Detect NTLM relay via IP-hostname mismatch in Event 4624 LogonType 3."""
    findings = []
    for ev in events:
        if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
            continue
        if ev.get("AuthenticationPackageName") != "NTLM":
            continue
        user = ev.get("TargetUserName", "")
        if user.endswith("$") or user in ("ANONYMOUS LOGON", "-", ""):
            continue
        source_ip = ev.get("IpAddress", "")
        if source_ip in ("-", "::1", "127.0.0.1", ""):
            continue
        workstation = ev.get("WorkstationName", "").strip().upper()
        if workstation in inventory:
            expected = inventory[workstation]
            if source_ip != expected:
                findings.append({
                    "detection": "IP-Hostname Mismatch (NTLM Relay Indicator)",
                    "severity": "CRITICAL",
                    "mitre": "T1557.001",
                    "timestamp": ev.get("TimeCreated"),
                    "target_host": ev.get("Computer"),
                    "target_user": user,
                    "workstation": workstation,
                    "actual_ip": source_ip,
                    "expected_ip": expected,
                    "lm_package": ev.get("LmPackageName"),
                })
    logger.info("IP-hostname mismatch findings: %d", len(findings))
    return findings


def detect_rapid_auth(events, window=RAPID_AUTH_WINDOW_DEFAULT, threshold=RAPID_AUTH_THRESHOLD_DEFAULT):
    """Detect rapid NTLM authentication to multiple targets (relay spraying)."""
    findings = []
    auth_groups = defaultdict(list)
    for ev in events:
        if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
            continue
        if ev.get("AuthenticationPackageName") != "NTLM":
            continue
        user = ev.get("TargetUserName", "")
        ip = ev.get("IpAddress", "")
        if user.endswith("$") or user in ("ANONYMOUS LOGON", "-", ""):
            continue
        if ip in ("-", "::1", "127.0.0.1", ""):
            continue
        try:
            ts = datetime.fromisoformat(ev["TimeCreated"].replace("Z", "+00:00"))
        except (ValueError, KeyError):
            continue
        auth_groups[(ip, user)].append({"ts": ts, "target": ev.get("Computer", "")})

    for (ip, user), auths in auth_groups.items():
        auths.sort(key=lambda x: x["ts"])
        for i in range(len(auths)):
            start = auths[i]["ts"]
            end = start + timedelta(seconds=window)
            targets = set()
            for j in range(i, len(auths)):
                if auths[j]["ts"] <= end:
                    targets.add(auths[j]["target"])
                else:
                    break
            if len(targets) >= threshold:
                findings.append({
                    "detection": "Rapid Multi-Host NTLM Auth (Relay Spraying)",
                    "severity": "HIGH",
                    "mitre": "T1557.001",
                    "timestamp": start.isoformat(),
                    "source_ip": ip,
                    "target_user": user,
                    "unique_targets": len(targets),
                    "targets": sorted(targets),
                    "window_seconds": window,
                })
                break
    logger.info("Rapid auth findings: %d", len(findings))
    return findings


def detect_ntlmv1_downgrade(events):
    """Detect NTLMv1 authentication events indicating downgrade attack."""
    findings = []
    v1_by_user = defaultdict(list)
    for ev in events:
        if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
            continue
        lm = ev.get("LmPackageName", "")
        if "NTLM V1" not in lm:
            continue
        user = ev.get("TargetUserName", "")
        if user.endswith("$") or user in ("ANONYMOUS LOGON", "-", ""):
            continue
        v1_by_user[user].append({
            "ts": ev.get("TimeCreated"),
            "target": ev.get("Computer"),
            "ip": ev.get("IpAddress"),
        })

    for user, auths in v1_by_user.items():
        findings.append({
            "detection": "NTLMv1 Downgrade Detected",
            "severity": "HIGH",
            "mitre": "T1557.001",
            "timestamp": auths[0]["ts"],
            "target_user": user,
            "ntlmv1_count": len(auths),
            "source_ips": sorted(set(a["ip"] for a in auths)),
            "targets": sorted(set(a["target"] for a in auths)),
        })
    logger.info("NTLMv1 downgrade findings: %d", len(findings))
    return findings


def detect_machine_relay(events):
    """Detect machine account NTLM relay (PetitPotam, DFSCoerce, PrinterBug)."""
    findings = []
    machine_auths = defaultdict(list)
    for ev in events:
        if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
            continue
        if ev.get("AuthenticationPackageName") != "NTLM":
            continue
        user = ev.get("TargetUserName", "")
        if not user.endswith("$"):
            continue
        ip = ev.get("IpAddress", "")
        if ip in ("-", "::1", "127.0.0.1", ""):
            continue
        machine_auths[user].append({
            "ts": ev.get("TimeCreated"),
            "target": ev.get("Computer"),
            "ip": ip,
        })

    for machine, auths in machine_auths.items():
        ips = set(a["ip"] for a in auths)
        if len(ips) > 1:
            findings.append({
                "detection": "Machine Account Relay (Coercion + NTLM Relay)",
                "severity": "CRITICAL",
                "mitre": "T1557.001",
                "timestamp": auths[0]["ts"],
                "machine_account": machine,
                "source_ips": sorted(ips),
                "targets": sorted(set(a["target"] for a in auths)),
                "auth_count": len(auths),
            })
    logger.info("Machine account relay findings: %d", len(findings))
    return findings


def audit_smb_signing_local():
    """Audit local SMB signing configuration (Windows only)."""
    if sys.platform != "win32":
        logger.info("SMB signing audit only available on Windows")
        return {}

    audit = {}
    checks = {
        "SMB_Server_RequireSign": (
            r"HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters",
            "RequireSecuritySignature"
        ),
        "SMB_Client_RequireSign": (
            r"HKLM\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters",
            "RequireSecuritySignature"
        ),
        "LmCompatibilityLevel": (
            r"HKLM\SYSTEM\CurrentControlSet\Control\Lsa",
            "LmCompatibilityLevel"
        ),
        "LLMNR_Disabled": (
            r"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient",
            "EnableMulticast"
        ),
    }

    for label, (key, value_name) in checks.items():
        try:
            result = subprocess.run(
                ["reg", "query", key, "/v", value_name],
                capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT
            )
            if result.returncode == 0:
                for line in result.stdout.splitlines():
                    if value_name in line:
                        parts = line.strip().split()
                        audit[label] = parts[-1] if parts else "UNKNOWN"
                        break
            else:
                audit[label] = "NOT_CONFIGURED"
        except subprocess.TimeoutExpired:
            audit[label] = "TIMEOUT"
        except Exception as e:
            audit[label] = f"ERROR: {e}"

    # Evaluate risk
    smb_server = audit.get("SMB_Server_RequireSign", "")
    audit["SMB_Relay_Vulnerable"] = "YES" if smb_server != "0x1" else "NO"

    lm_level = audit.get("LmCompatibilityLevel", "")
    try:
        lm_int = int(lm_level, 0)
        audit["NTLMv1_Vulnerable"] = "YES" if lm_int < 3 else "NO"
    except (ValueError, TypeError):
        audit["NTLMv1_Vulnerable"] = "UNKNOWN"

    llmnr = audit.get("LLMNR_Disabled", "")
    audit["Responder_Vulnerable"] = "NO" if llmnr == "0x0" else "YES"

    return audit


def generate_report(all_findings, smb_audit, output_path):
    """Generate JSON detection report."""
    report = {
        "scan_timestamp": datetime.utcnow().isoformat() + "Z",
        "mitre_technique": "T1557.001",
        "summary": {
            "total_findings": len(all_findings),
            "critical": len([f for f in all_findings if f.get("severity") == "CRITICAL"]),
            "high": len([f for f in all_findings if f.get("severity") == "HIGH"]),
            "medium": len([f for f in all_findings if f.get("severity") == "MEDIUM"]),
        },
        "findings": all_findings,
        "smb_signing_audit": smb_audit,
    }

    with open(output_path, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("Report saved to %s", output_path)

    s = report["summary"]
    print(f"\nNTLM RELAY DETECTION REPORT")
    print(f"  Total findings: {s['total_findings']}")
    print(f"  Critical: {s['critical']}, High: {s['high']}, Medium: {s['medium']}")
    if s["critical"] > 0:
        print("  [!!!] CRITICAL: IP-hostname mismatch or machine account relay detected")
    if smb_audit.get("SMB_Relay_Vulnerable") == "YES":
        print("  [!] WARNING: SMB signing NOT enforced on this host")
    if smb_audit.get("Responder_Vulnerable") == "YES":
        print("  [!] WARNING: LLMNR enabled - vulnerable to Responder poisoning")
    return report


def main():
    parser = argparse.ArgumentParser(
        description="NTLM Relay Detection Agent (T1557.001)"
    )
    parser.add_argument("--evtx", required=True, help="Path to Windows Security .evtx file")
    parser.add_argument("--inventory", help="CSV file with hostname,ip_address columns for mismatch detection")
    parser.add_argument("--output", "-o", default="ntlm_relay_report.json",
                        help="Output JSON report path (default: ntlm_relay_report.json)")
    parser.add_argument("--rapid-window", type=int, default=RAPID_AUTH_WINDOW_DEFAULT,
                        help=f"Rapid auth detection window in seconds (default: {RAPID_AUTH_WINDOW_DEFAULT})")
    parser.add_argument("--rapid-threshold", type=int, default=RAPID_AUTH_THRESHOLD_DEFAULT,
                        help=f"Min unique targets for rapid auth alert (default: {RAPID_AUTH_THRESHOLD_DEFAULT})")
    parser.add_argument("--audit-signing", action="store_true",
                        help="Audit local SMB/NTLM signing configuration (Windows only)")
    parser.add_argument("--verbose", "-v", action="store_true", help="Enable debug logging")
    args = parser.parse_args()

    if args.verbose:
        logging.getLogger().setLevel(logging.DEBUG)

    if not os.path.isfile(args.evtx):
        logger.error("EVTX file not found: %s", args.evtx)
        sys.exit(1)

    inventory = {}
    if args.inventory:
        if os.path.isfile(args.inventory):
            inventory = load_inventory(args.inventory)
        else:
            logger.warning("Inventory file not found: %s", args.inventory)

    logger.info("Parsing security events from: %s", args.evtx)
    events = parse_security_evtx(args.evtx)

    mismatch = detect_ip_hostname_mismatch(events, inventory) if inventory else []
    rapid = detect_rapid_auth(events, args.rapid_window, args.rapid_threshold)
    downgrade = detect_ntlmv1_downgrade(events)
    machine = detect_machine_relay(events)

    if not inventory:
        logger.warning("No inventory provided (--inventory). IP-hostname mismatch detection disabled.")

    all_findings = mismatch + machine + rapid + downgrade
    all_findings.sort(key=lambda x: {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2, "LOW": 3}.get(
        x.get("severity", "LOW"), 4))

    smb_audit = audit_smb_signing_local() if args.audit_signing else {}

    generate_report(all_findings, smb_audit, args.output)


if __name__ == "__main__":
    main()
audit_smb_signing.ps113.6 KB
Display-only source. This catalog never executes bundled scripts.
#Requires -Version 5.1
<#
.SYNOPSIS
    Audits SMB signing, LDAP signing, and NTLM configuration across Active Directory.

.DESCRIPTION
    This script performs a comprehensive audit of NTLM relay attack surface by checking:
    - SMB signing enforcement on all domain-joined Windows hosts
    - LDAP signing and channel binding on domain controllers
    - LmCompatibilityLevel (NTLMv1 vs NTLMv2 enforcement)
    - LLMNR and NBT-NS configuration
    - NTLM restriction policies
    Outputs results to CSV and provides a risk summary.

.PARAMETER OutputPath
    Directory to save audit results. Defaults to current directory.

.PARAMETER DomainControllerOnly
    Only audit domain controllers (faster for large environments).

.PARAMETER SkipConnectivity
    Skip remote connectivity checks (only check local configuration).

.EXAMPLE
    .\audit_smb_signing.ps1 -OutputPath C:\AuditResults
    .\audit_smb_signing.ps1 -DomainControllerOnly
#>

[CmdletBinding()]
param(
    [Parameter()]
    [string]$OutputPath = ".",

    [Parameter()]
    [switch]$DomainControllerOnly,

    [Parameter()]
    [switch]$SkipConnectivity
)

$ErrorActionPreference = "Continue"
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"

Write-Host @"
==============================================================================
  NTLM Relay Attack Surface Audit
  Checks SMB Signing, LDAP Signing, NTLM Configuration
  MITRE ATT&CK: T1557.001
  Run Time: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
==============================================================================
"@

# ============================================================================
# Section 1: SMB Signing Audit
# ============================================================================
Write-Host "`n[*] Section 1: SMB Signing Audit" -ForegroundColor Cyan

$smbResults = @()

if ($DomainControllerOnly) {
    Write-Host "[*] Scanning domain controllers only..."
    $targets = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
} else {
    Write-Host "[*] Scanning all domain computers..."
    $targets = Get-ADComputer -Filter { Enabled -eq $true -and OperatingSystem -like "*Windows*" } |
        Select-Object -ExpandProperty DNSHostName
}

Write-Host "[*] Found $($targets.Count) targets to audit"

$counter = 0
foreach ($target in $targets) {
    $counter++
    Write-Progress -Activity "Auditing SMB Signing" -Status "$target ($counter/$($targets.Count))" `
        -PercentComplete (($counter / $targets.Count) * 100)

    $result = [PSCustomObject]@{
        Hostname              = $target
        Reachable             = $false
        SMBServerSignRequired = "Unknown"
        SMBServerSignEnabled  = "Unknown"
        SMBClientSignRequired = "Unknown"
        SMBClientSignEnabled  = "Unknown"
        RelayVulnerable       = "Unknown"
        ErrorDetail           = ""
    }

    if (-not $SkipConnectivity) {
        try {
            $session = New-CimSession -ComputerName $target -OperationTimeoutSec 10 -ErrorAction Stop
            $result.Reachable = $true

            $serverConfig = Get-SmbServerConfiguration -CimSession $session -ErrorAction Stop
            $result.SMBServerSignRequired = $serverConfig.RequireSecuritySignature
            $result.SMBServerSignEnabled = $serverConfig.EnableSecuritySignature

            try {
                $clientConfig = Get-SmbClientConfiguration -CimSession $session -ErrorAction Stop
                $result.SMBClientSignRequired = $clientConfig.RequireSecuritySignature
                $result.SMBClientSignEnabled = $clientConfig.EnableSecuritySignature
            } catch {
                $result.SMBClientSignRequired = "Error"
                $result.SMBClientSignEnabled = "Error"
            }

            # Determine relay vulnerability
            if ($serverConfig.RequireSecuritySignature -eq $true) {
                $result.RelayVulnerable = "No - SMB Signing Required"
            } elseif ($serverConfig.EnableSecuritySignature -eq $true) {
                $result.RelayVulnerable = "Partial - Signing Enabled but Not Required"
            } else {
                $result.RelayVulnerable = "YES - SMB Signing Not Enforced"
            }

            Remove-CimSession $session
        } catch {
            $result.ErrorDetail = $_.Exception.Message
            $result.RelayVulnerable = "Unknown - Connection Failed"
        }
    }

    $smbResults += $result
}

Write-Progress -Activity "Auditing SMB Signing" -Completed

$smbCsvPath = Join-Path $OutputPath "smb_signing_audit_$timestamp.csv"
$smbResults | Export-Csv -Path $smbCsvPath -NoTypeInformation
Write-Host "[*] SMB signing results saved to: $smbCsvPath"

$vulnerable = @($smbResults | Where-Object { $_.RelayVulnerable -like "YES*" })
$partial = @($smbResults | Where-Object { $_.RelayVulnerable -like "Partial*" })
$secure = @($smbResults | Where-Object { $_.RelayVulnerable -like "No*" })

Write-Host "`n  SMB Signing Summary:"
Write-Host "  Fully Protected (Signing Required): $($secure.Count)" -ForegroundColor Green
Write-Host "  Partially Protected (Signing Enabled): $($partial.Count)" -ForegroundColor Yellow
Write-Host "  VULNERABLE (Signing Not Enforced): $($vulnerable.Count)" -ForegroundColor Red

if ($vulnerable.Count -gt 0) {
    Write-Host "`n  [!] Vulnerable hosts:" -ForegroundColor Red
    $vulnerable | Select-Object -First 10 | ForEach-Object {
        Write-Host "      $($_.Hostname)" -ForegroundColor Red
    }
    if ($vulnerable.Count -gt 10) {
        Write-Host "      ... and $($vulnerable.Count - 10) more (see CSV)" -ForegroundColor Red
    }
}

# ============================================================================
# Section 2: LDAP Signing Audit (Domain Controllers)
# ============================================================================
Write-Host "`n[*] Section 2: LDAP Signing Audit (Domain Controllers)" -ForegroundColor Cyan

$ldapResults = @()
$dcs = Get-ADDomainController -Filter * | Select-Object HostName, IPv4Address, OperatingSystem

foreach ($dc in $dcs) {
    $ldapResult = [PSCustomObject]@{
        DCHostname     = $dc.HostName
        IPAddress      = $dc.IPv4Address
        OS             = $dc.OperatingSystem
        LDAPSigning    = "Unknown"
        ChannelBinding = "Unknown"
        RelayToLDAP    = "Unknown"
        ErrorDetail    = ""
    }

    try {
        $ldapSigning = Invoke-Command -ComputerName $dc.HostName -ScriptBlock {
            $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
            $signing = (Get-ItemProperty -Path $regPath -Name "LDAPServerIntegrity" -ErrorAction SilentlyContinue).LDAPServerIntegrity
            $binding = (Get-ItemProperty -Path $regPath -Name "LdapEnforceChannelBinding" -ErrorAction SilentlyContinue).LdapEnforceChannelBinding
            return @{ Signing = $signing; Binding = $binding }
        } -ErrorAction Stop

        $ldapResult.LDAPSigning = switch ($ldapSigning.Signing) {
            0 { "None (VULNERABLE)" }
            1 { "Negotiate (Default - VULNERABLE to relay)" }
            2 { "Required (Secure)" }
            default { "Not Configured (defaults to Negotiate - VULNERABLE)" }
        }

        $ldapResult.ChannelBinding = switch ($ldapSigning.Binding) {
            0 { "Disabled (VULNERABLE)" }
            1 { "When Supported" }
            2 { "Always Required (Secure)" }
            default { "Not Configured (VULNERABLE)" }
        }

        if ($ldapSigning.Signing -eq 2 -and $ldapSigning.Binding -eq 2) {
            $ldapResult.RelayToLDAP = "No - Signing and Channel Binding Required"
        } elseif ($ldapSigning.Signing -eq 2) {
            $ldapResult.RelayToLDAP = "Partial - Signing Required but Channel Binding Not Enforced"
        } else {
            $ldapResult.RelayToLDAP = "YES - LDAP Relay Possible"
        }
    } catch {
        $ldapResult.ErrorDetail = $_.Exception.Message
    }

    $ldapResults += $ldapResult
}

$ldapCsvPath = Join-Path $OutputPath "ldap_signing_audit_$timestamp.csv"
$ldapResults | Export-Csv -Path $ldapCsvPath -NoTypeInformation
Write-Host "[*] LDAP signing results saved to: $ldapCsvPath"

foreach ($r in $ldapResults) {
    $color = if ($r.RelayToLDAP -like "YES*") { "Red" } elseif ($r.RelayToLDAP -like "Partial*") { "Yellow" } else { "Green" }
    Write-Host "  $($r.DCHostname): LDAP=$($r.LDAPSigning), ChannelBinding=$($r.ChannelBinding)" -ForegroundColor $color
}

# ============================================================================
# Section 3: NTLM Configuration Audit
# ============================================================================
Write-Host "`n[*] Section 3: NTLM Configuration Audit" -ForegroundColor Cyan

$ntlmResults = @()

foreach ($target in $targets | Select-Object -First 50) {
    $ntlmResult = [PSCustomObject]@{
        Hostname           = $target
        LmCompatLevel      = "Unknown"
        LmCompatDesc       = "Unknown"
        NTLMRestriction    = "Unknown"
        LLMNREnabled       = "Unknown"
        NBTNSEnabled       = "Unknown"
        NTLMv1Vulnerable   = "Unknown"
        ErrorDetail        = ""
    }

    try {
        $config = Invoke-Command -ComputerName $target -ScriptBlock {
            $lmLevel = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
                -Name "LmCompatibilityLevel" -ErrorAction SilentlyContinue).LmCompatibilityLevel

            $llmnr = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
                -Name "EnableMulticast" -ErrorAction SilentlyContinue).EnableMulticast

            $ntlmRestrict = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
                -Name "RestrictReceivingNTLMTraffic" -ErrorAction SilentlyContinue).RestrictReceivingNTLMTraffic

            return @{
                LmLevel = $lmLevel
                LLMNR = $llmnr
                NTLMRestrict = $ntlmRestrict
            }
        } -ErrorAction Stop

        $ntlmResult.LmCompatLevel = $config.LmLevel
        $ntlmResult.LmCompatDesc = switch ($config.LmLevel) {
            0 { "Send LM & NTLM (CRITICAL - NTLMv1 active)" }
            1 { "Send LM & NTLM, use NTLMv2 session if negotiated" }
            2 { "Send NTLM only (NTLMv1)" }
            3 { "Send NTLMv2 only (Recommended minimum)" }
            4 { "Send NTLMv2 only, refuse LM" }
            5 { "Send NTLMv2 only, refuse LM & NTLM (Most Secure)" }
            default { "Not configured (defaults to 3)" }
        }

        $ntlmResult.NTLMv1Vulnerable = if ($config.LmLevel -lt 3 -and $null -ne $config.LmLevel) {
            "YES - NTLMv1 may be used"
        } else {
            "No - NTLMv2 enforced"
        }

        $ntlmResult.LLMNREnabled = if ($config.LLMNR -eq 0) { "Disabled (Secure)" } else { "Enabled (VULNERABLE to Responder)" }

        $ntlmResult.NTLMRestriction = switch ($config.NTLMRestrict) {
            0 { "Allow all" }
            1 { "Deny all domain accounts" }
            2 { "Deny all accounts" }
            default { "Not configured (Allow all)" }
        }
    } catch {
        $ntlmResult.ErrorDetail = $_.Exception.Message
    }

    $ntlmResults += $ntlmResult
}

$ntlmCsvPath = Join-Path $OutputPath "ntlm_config_audit_$timestamp.csv"
$ntlmResults | Export-Csv -Path $ntlmCsvPath -NoTypeInformation
Write-Host "[*] NTLM configuration results saved to: $ntlmCsvPath"

$ntlmv1Vuln = @($ntlmResults | Where-Object { $_.NTLMv1Vulnerable -like "YES*" })
$llmnrVuln = @($ntlmResults | Where-Object { $_.LLMNREnabled -like "Enabled*" })

Write-Host "`n  NTLM Configuration Summary:"
Write-Host "  Hosts vulnerable to NTLMv1 downgrade: $($ntlmv1Vuln.Count)" -ForegroundColor $(if ($ntlmv1Vuln.Count -gt 0) { "Red" } else { "Green" })
Write-Host "  Hosts with LLMNR enabled (Responder target): $($llmnrVuln.Count)" -ForegroundColor $(if ($llmnrVuln.Count -gt 0) { "Red" } else { "Green" })

# ============================================================================
# Section 4: Overall Risk Assessment
# ============================================================================
Write-Host "`n" + ("=" * 78) -ForegroundColor Cyan
Write-Host "  OVERALL NTLM RELAY RISK ASSESSMENT" -ForegroundColor Cyan
Write-Host ("=" * 78) -ForegroundColor Cyan

$riskScore = 0
$recommendations = @()

if ($vulnerable.Count -gt 0) {
    $riskScore += 30
    $recommendations += "CRITICAL: Enforce SMB signing on $($vulnerable.Count) hosts via GPO"
}

$ldapVuln = @($ldapResults | Where-Object { $_.RelayToLDAP -like "YES*" })
if ($ldapVuln.Count -gt 0) {
    $riskScore += 30
    $recommendations += "CRITICAL: Enforce LDAP signing on $($ldapVuln.Count) domain controllers"
}

if ($ntlmv1Vuln.Count -gt 0) {
    $riskScore += 20
    $recommendations += "HIGH: Set LmCompatibilityLevel >= 3 on $($ntlmv1Vuln.Count) hosts to prevent NTLMv1"
}

if ($llmnrVuln.Count -gt 0) {
    $riskScore += 20
    $recommendations += "HIGH: Disable LLMNR via GPO on $($llmnrVuln.Count) hosts to prevent Responder poisoning"
}

$riskLevel = switch {
    ($riskScore -ge 60) { "CRITICAL" }
    ($riskScore -ge 40) { "HIGH" }
    ($riskScore -ge 20) { "MEDIUM" }
    default { "LOW" }
}

$riskColor = switch ($riskLevel) {
    "CRITICAL" { "Red" }
    "HIGH" { "Red" }
    "MEDIUM" { "Yellow" }
    "LOW" { "Green" }
}

Write-Host "`n  Risk Level: $riskLevel (Score: $riskScore/100)" -ForegroundColor $riskColor
Write-Host "`n  Recommendations:" -ForegroundColor White
foreach ($rec in $recommendations) {
    Write-Host "    - $rec" -ForegroundColor Yellow
}

if ($recommendations.Count -eq 0) {
    Write-Host "    - No critical issues found. Continue monitoring NTLM usage via Event 8004." -ForegroundColor Green
}

Write-Host "`n  Output Files:"
Write-Host "    - $smbCsvPath"
Write-Host "    - $ldapCsvPath"
Write-Host "    - $ntlmCsvPath"
Write-Host "`n" + ("=" * 78) -ForegroundColor Cyan
detect_ntlm_relay.py23.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
NTLM Relay Detection via Event Correlation Script
Parses Windows Security event logs to detect NTLM relay attacks through
IP-hostname mismatch analysis, NTLMv1 downgrade detection, rapid multi-host
authentication patterns, and machine account relay indicators.

MITRE ATT&CK: T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)

Usage:
    python detect_ntlm_relay.py --evtx <security.evtx>
    python detect_ntlm_relay.py --evtx <security.evtx> --inventory hosts.csv
    python detect_ntlm_relay.py --evtx <security.evtx> --json --output results.json

Requirements:
    pip install python-evtx lxml
"""

import argparse
import csv
import json
import sys
import os
from datetime import datetime, timedelta
from collections import defaultdict

try:
    import Evtx.Evtx as evtx
    from lxml import etree
except ImportError:
    print("[!] Required packages not found. Install with: pip install python-evtx lxml")
    sys.exit(1)


EVENT_NS = "http://schemas.microsoft.com/win/2004/08/events/event"

# Default time window for rapid authentication detection (seconds)
RAPID_AUTH_WINDOW = 120
# Minimum number of unique targets to flag rapid authentication
RAPID_AUTH_THRESHOLD = 3


def parse_security_event(record_xml):
    """Parse a Windows Security event record XML into a dictionary."""
    try:
        root = etree.fromstring(record_xml)
    except etree.XMLSyntaxError:
        return None

    ns = {"e": EVENT_NS}
    event = {}

    system = root.find(".//e:System", ns)
    if system is not None:
        event_id_elem = system.find("e:EventID", ns)
        event["EventID"] = int(event_id_elem.text) if event_id_elem is not None else 0
        time_elem = system.find("e:TimeCreated", ns)
        if time_elem is not None:
            event["TimeCreated"] = time_elem.get("SystemTime", "")
        computer_elem = system.find("e:Computer", ns)
        event["Computer"] = computer_elem.text if computer_elem is not None else ""

    event_data = root.find(".//e:EventData", ns)
    if event_data is not None:
        for data in event_data.findall("e:Data", ns):
            name = data.get("Name", "")
            value = data.text or ""
            event[name] = value

    return event


def load_host_inventory(csv_path):
    """
    Load hostname-to-IP mapping from CSV file.
    Expected columns: hostname,ip_address
    """
    inventory = {}
    try:
        with open(csv_path, "r", newline="") as f:
            reader = csv.DictReader(f)
            for row in reader:
                hostname = row.get("hostname", "").strip().upper()
                ip = row.get("ip_address", "").strip()
                if hostname and ip:
                    inventory[hostname] = ip
    except Exception as e:
        print(f"[!] Error loading inventory from {csv_path}: {e}")
    return inventory


def is_internal_ip(ip):
    """Check if an IP address is in RFC1918 private ranges."""
    if not ip or ip in ("-", "::1", "127.0.0.1"):
        return False
    parts = ip.split(".")
    if len(parts) != 4:
        return False
    try:
        first = int(parts[0])
        second = int(parts[1])
        if first == 10:
            return True
        if first == 172 and 16 <= second <= 31:
            return True
        if first == 192 and second == 168:
            return True
    except ValueError:
        return False
    return False


def detect_ip_hostname_mismatch(events, inventory):
    """
    Detect NTLM relay by finding Event 4624 LogonType 3 entries where
    the WorkstationName does not match the expected IP for that hostname.
    """
    findings = []

    for event in events:
        if event.get("EventID") != 4624:
            continue
        if event.get("LogonType") != "3":
            continue
        if event.get("AuthenticationPackageName") != "NTLM":
            continue

        target_user = event.get("TargetUserName", "")
        workstation = event.get("WorkstationName", "").strip().upper()
        source_ip = event.get("IpAddress", "")
        computer = event.get("Computer", "")
        timestamp = event.get("TimeCreated", "")
        lm_package = event.get("LmPackageName", "")

        # Skip machine accounts and anonymous logons
        if target_user.endswith("$") or target_user in ("ANONYMOUS LOGON", "-", ""):
            continue
        if source_ip in ("-", "::1", "127.0.0.1", ""):
            continue

        # Check against inventory
        if workstation in inventory:
            expected_ip = inventory[workstation]
            if source_ip != expected_ip:
                findings.append({
                    "timestamp": timestamp,
                    "detection_type": "IP-Hostname Mismatch (NTLM Relay Indicator)",
                    "severity": "CRITICAL",
                    "mitre": "T1557.001",
                    "target_host": computer,
                    "target_user": target_user,
                    "workstation_name": workstation,
                    "actual_source_ip": source_ip,
                    "expected_source_ip": expected_ip,
                    "lm_package": lm_package,
                    "explanation": (
                        f"Event 4624 shows {target_user} authenticating from "
                        f"workstation '{workstation}' but source IP is {source_ip} "
                        f"(expected {expected_ip}). This IP mismatch is a primary "
                        f"indicator of NTLM relay."
                    ),
                })

    return findings


def detect_rapid_multi_host_auth(events, window_seconds=RAPID_AUTH_WINDOW,
                                  threshold=RAPID_AUTH_THRESHOLD):
    """
    Detect rapid NTLM authentication to multiple targets from the same source,
    indicating relay spraying or credential relay.
    """
    findings = []

    # Group events by source IP and user
    auth_by_source = defaultdict(list)

    for event in events:
        if event.get("EventID") != 4624:
            continue
        if event.get("LogonType") != "3":
            continue
        if event.get("AuthenticationPackageName") != "NTLM":
            continue

        target_user = event.get("TargetUserName", "")
        source_ip = event.get("IpAddress", "")

        if target_user.endswith("$") or target_user in ("ANONYMOUS LOGON", "-", ""):
            continue
        if source_ip in ("-", "::1", "127.0.0.1", ""):
            continue

        try:
            ts = datetime.fromisoformat(event["TimeCreated"].replace("Z", "+00:00"))
        except (ValueError, KeyError):
            continue

        key = (source_ip, target_user)
        auth_by_source[key].append({
            "timestamp": ts,
            "target_host": event.get("Computer", ""),
            "workstation": event.get("WorkstationName", ""),
        })

    # Analyze each source for rapid multi-host authentication
    for (source_ip, target_user), auth_list in auth_by_source.items():
        auth_list.sort(key=lambda x: x["timestamp"])

        # Sliding window analysis
        for i in range(len(auth_list)):
            window_start = auth_list[i]["timestamp"]
            window_end = window_start + timedelta(seconds=window_seconds)

            targets_in_window = set()
            events_in_window = []

            for j in range(i, len(auth_list)):
                if auth_list[j]["timestamp"] <= window_end:
                    targets_in_window.add(auth_list[j]["target_host"])
                    events_in_window.append(auth_list[j])
                else:
                    break

            if len(targets_in_window) >= threshold:
                findings.append({
                    "timestamp": window_start.isoformat(),
                    "detection_type": "Rapid Multi-Host NTLM Authentication (Relay Spraying)",
                    "severity": "HIGH",
                    "mitre": "T1557.001",
                    "source_ip": source_ip,
                    "target_user": target_user,
                    "unique_targets": len(targets_in_window),
                    "target_hosts": sorted(targets_in_window),
                    "event_count": len(events_in_window),
                    "window_seconds": window_seconds,
                    "explanation": (
                        f"User '{target_user}' authenticated via NTLM from {source_ip} "
                        f"to {len(targets_in_window)} unique targets in {window_seconds}s. "
                        f"Rapid multi-host authentication is consistent with ntlmrelayx spraying."
                    ),
                })
                break  # One finding per source/user pair

    return findings


def detect_ntlmv1_downgrade(events):
    """
    Detect NTLMv1 authentication which indicates a downgrade attack.
    NTLMv1 is weaker and should not be in use in modern environments.
    """
    findings = []
    ntlmv1_by_user = defaultdict(list)

    for event in events:
        if event.get("EventID") != 4624:
            continue
        if event.get("LogonType") != "3":
            continue

        lm_package = event.get("LmPackageName", "")
        if "NTLM V1" not in lm_package:
            continue

        target_user = event.get("TargetUserName", "")
        if target_user.endswith("$") or target_user in ("ANONYMOUS LOGON", "-", ""):
            continue

        ntlmv1_by_user[target_user].append({
            "timestamp": event.get("TimeCreated", ""),
            "computer": event.get("Computer", ""),
            "source_ip": event.get("IpAddress", ""),
            "workstation": event.get("WorkstationName", ""),
        })

    for user, auth_list in ntlmv1_by_user.items():
        targets = set(a["computer"] for a in auth_list)
        source_ips = set(a["source_ip"] for a in auth_list)
        findings.append({
            "timestamp": auth_list[0]["timestamp"],
            "detection_type": "NTLMv1 Authentication Detected (Downgrade Attack Indicator)",
            "severity": "HIGH",
            "mitre": "T1557.001",
            "target_user": user,
            "ntlmv1_event_count": len(auth_list),
            "source_ips": sorted(source_ips),
            "target_hosts": sorted(targets),
            "explanation": (
                f"User '{user}' authenticated {len(auth_list)} times using NTLMv1. "
                f"NTLMv1 is deprecated and should not be in use. This may indicate "
                f"a downgrade attack or misconfigured LmCompatibilityLevel."
            ),
        })

    return findings


def detect_machine_account_relay(events):
    """
    Detect machine account NTLM authentication from unexpected IPs,
    indicating PetitPotam, DFSCoerce, or PrinterBug coercion + relay.
    """
    findings = []
    machine_auths = defaultdict(list)

    for event in events:
        if event.get("EventID") != 4624:
            continue
        if event.get("LogonType") != "3":
            continue
        if event.get("AuthenticationPackageName") != "NTLM":
            continue

        target_user = event.get("TargetUserName", "")
        source_ip = event.get("IpAddress", "")

        # Only machine accounts (ending in $)
        if not target_user.endswith("$"):
            continue
        if source_ip in ("-", "::1", "127.0.0.1", ""):
            continue

        machine_auths[target_user].append({
            "timestamp": event.get("TimeCreated", ""),
            "target_host": event.get("Computer", ""),
            "source_ip": source_ip,
            "workstation": event.get("WorkstationName", ""),
            "lm_package": event.get("LmPackageName", ""),
        })

    for machine_account, auth_list in machine_auths.items():
        source_ips = set(a["source_ip"] for a in auth_list)
        target_hosts = set(a["target_host"] for a in auth_list)

        # Flag if machine account authenticates from multiple source IPs
        # or if source IP does not match expected machine IP
        if len(source_ips) > 1:
            findings.append({
                "timestamp": auth_list[0]["timestamp"],
                "detection_type": "Machine Account NTLM Auth from Multiple Sources (Coercion + Relay)",
                "severity": "CRITICAL",
                "mitre": "T1557.001",
                "machine_account": machine_account,
                "source_ips": sorted(source_ips),
                "target_hosts": sorted(target_hosts),
                "auth_count": len(auth_list),
                "explanation": (
                    f"Machine account '{machine_account}' authenticated via NTLM from "
                    f"{len(source_ips)} different source IPs: {', '.join(sorted(source_ips))}. "
                    f"This indicates the machine's NTLM authentication was coerced "
                    f"(PetitPotam/DFSCoerce/PrinterBug) and relayed to "
                    f"{', '.join(sorted(target_hosts))}."
                ),
            })

    return findings


def detect_anonymous_ntlm_logons(events):
    """
    Detect ANONYMOUS LOGON via NTLM which can indicate null session relay
    or Responder activity.
    """
    findings = []
    anon_by_ip = defaultdict(list)

    for event in events:
        if event.get("EventID") != 4624:
            continue
        if event.get("LogonType") != "3":
            continue
        if event.get("AuthenticationPackageName") != "NTLM":
            continue

        target_user = event.get("TargetUserName", "")
        if target_user != "ANONYMOUS LOGON":
            continue

        source_ip = event.get("IpAddress", "")
        if source_ip in ("-", "::1", "127.0.0.1", ""):
            continue

        anon_by_ip[source_ip].append({
            "timestamp": event.get("TimeCreated", ""),
            "target_host": event.get("Computer", ""),
        })

    for source_ip, auth_list in anon_by_ip.items():
        targets = set(a["target_host"] for a in auth_list)
        if len(auth_list) >= 3:
            findings.append({
                "timestamp": auth_list[0]["timestamp"],
                "detection_type": "Excessive ANONYMOUS NTLM Logons (Responder/Relay Probe)",
                "severity": "MEDIUM",
                "mitre": "T1557.001",
                "source_ip": source_ip,
                "anonymous_logon_count": len(auth_list),
                "target_hosts": sorted(targets),
                "explanation": (
                    f"Source IP {source_ip} performed {len(auth_list)} anonymous NTLM "
                    f"logons to {len(targets)} hosts. Excessive anonymous NTLM "
                    f"authentication may indicate Responder probing or null session relay."
                ),
            })

    return findings


def parse_evtx_file(filepath):
    """Parse a .evtx file and return list of parsed events."""
    events = []
    try:
        with evtx.Evtx(filepath) as log:
            for record in log.records():
                try:
                    event = parse_security_event(record.xml())
                    if event and event.get("EventID") in (4624, 4625, 4648, 4776):
                        events.append(event)
                except Exception:
                    continue
    except Exception as e:
        print(f"[!] Error parsing {filepath}: {e}")
    return events


def print_findings(findings, title):
    """Print findings in a formatted table."""
    if not findings:
        print(f"\n[+] {title}: No findings")
        return

    print(f"\n{'=' * 80}")
    print(f"  {title} ({len(findings)} findings)")
    print(f"{'=' * 80}")

    for i, finding in enumerate(findings, 1):
        severity = finding.get("severity", "N/A")
        severity_marker = {
            "CRITICAL": "[!!!]",
            "HIGH": "[!!]",
            "MEDIUM": "[!]",
            "LOW": "[.]",
        }.get(severity, "[?]")

        print(f"\n  {severity_marker} [{i}] {finding.get('detection_type', 'Unknown')}")
        print(f"      Severity: {severity}")
        print(f"      Time: {finding.get('timestamp', 'N/A')}")

        if "target_user" in finding:
            print(f"      User: {finding['target_user']}")
        if "machine_account" in finding:
            print(f"      Machine: {finding['machine_account']}")
        if "source_ip" in finding:
            print(f"      Source IP: {finding['source_ip']}")
        if "actual_source_ip" in finding:
            print(f"      Actual Source IP: {finding['actual_source_ip']}")
            print(f"      Expected Source IP: {finding.get('expected_source_ip', 'N/A')}")
        if "workstation_name" in finding:
            print(f"      Workstation: {finding['workstation_name']}")
        if "target_hosts" in finding:
            hosts = finding["target_hosts"]
            if len(hosts) <= 5:
                print(f"      Targets: {', '.join(hosts)}")
            else:
                print(f"      Targets: {', '.join(hosts[:5])} ... (+{len(hosts)-5} more)")
        if "source_ips" in finding:
            print(f"      Source IPs: {', '.join(finding['source_ips'])}")

        print(f"      Detail: {finding.get('explanation', 'N/A')}")


def main():
    parser = argparse.ArgumentParser(
        description="Detect NTLM relay attacks via Windows Security event log correlation"
    )
    parser.add_argument(
        "--evtx", required=True,
        help="Path to Windows Security .evtx log file"
    )
    parser.add_argument(
        "--inventory",
        help="Path to CSV file with hostname,ip_address columns for mismatch detection"
    )
    parser.add_argument(
        "--json", action="store_true",
        help="Output results in JSON format"
    )
    parser.add_argument(
        "--output", "-o",
        help="Output file path (default: stdout)"
    )
    parser.add_argument(
        "--rapid-window", type=int, default=RAPID_AUTH_WINDOW,
        help=f"Time window for rapid auth detection in seconds (default: {RAPID_AUTH_WINDOW})"
    )
    parser.add_argument(
        "--rapid-threshold", type=int, default=RAPID_AUTH_THRESHOLD,
        help=f"Min unique targets for rapid auth alert (default: {RAPID_AUTH_THRESHOLD})"
    )
    args = parser.parse_args()

    if not os.path.exists(args.evtx):
        print(f"[!] File not found: {args.evtx}")
        sys.exit(1)

    # Load host inventory if provided
    inventory = {}
    if args.inventory:
        if os.path.exists(args.inventory):
            inventory = load_host_inventory(args.inventory)
            print(f"[*] Loaded {len(inventory)} hosts from inventory")
        else:
            print(f"[!] Inventory file not found: {args.inventory}")

    print(f"[*] Parsing Security events from: {args.evtx}")
    events = parse_evtx_file(args.evtx)
    print(f"[*] Parsed {len(events)} relevant Security events (4624, 4625, 4648, 4776)")

    ntlm_4624 = [e for e in events if e.get("EventID") == 4624
                  and e.get("AuthenticationPackageName") == "NTLM"]
    print(f"[*] Found {len(ntlm_4624)} NTLM LogonType 3 events for analysis")

    print("[*] Running NTLM relay detection modules...")

    # Run all detection modules
    mismatch_findings = detect_ip_hostname_mismatch(events, inventory) if inventory else []
    rapid_auth_findings = detect_rapid_multi_host_auth(
        events, args.rapid_window, args.rapid_threshold
    )
    ntlmv1_findings = detect_ntlmv1_downgrade(events)
    machine_relay_findings = detect_machine_account_relay(events)
    anon_findings = detect_anonymous_ntlm_logons(events)

    all_findings = (
        mismatch_findings + rapid_auth_findings + ntlmv1_findings
        + machine_relay_findings + anon_findings
    )

    all_results = {
        "scan_time": datetime.utcnow().isoformat() + "Z",
        "security_log": args.evtx,
        "inventory_file": args.inventory or "Not provided",
        "inventory_hosts": len(inventory),
        "total_events_parsed": len(events),
        "ntlm_logon_events": len(ntlm_4624),
        "detection_modules": {
            "ip_hostname_mismatch": {
                "enabled": bool(inventory),
                "findings": mismatch_findings,
                "count": len(mismatch_findings),
            },
            "rapid_multi_host_auth": {
                "enabled": True,
                "findings": rapid_auth_findings,
                "count": len(rapid_auth_findings),
                "window_seconds": args.rapid_window,
                "threshold": args.rapid_threshold,
            },
            "ntlmv1_downgrade": {
                "enabled": True,
                "findings": ntlmv1_findings,
                "count": len(ntlmv1_findings),
            },
            "machine_account_relay": {
                "enabled": True,
                "findings": machine_relay_findings,
                "count": len(machine_relay_findings),
            },
            "anonymous_ntlm_logons": {
                "enabled": True,
                "findings": anon_findings,
                "count": len(anon_findings),
            },
        },
        "summary": {
            "total_findings": len(all_findings),
            "critical": len([f for f in all_findings if f.get("severity") == "CRITICAL"]),
            "high": len([f for f in all_findings if f.get("severity") == "HIGH"]),
            "medium": len([f for f in all_findings if f.get("severity") == "MEDIUM"]),
            "low": len([f for f in all_findings if f.get("severity") == "LOW"]),
        },
    }

    if args.json:
        output = json.dumps(all_results, indent=2, default=str)
        if args.output:
            with open(args.output, "w") as f:
                f.write(output)
            print(f"[*] JSON results written to: {args.output}")
        else:
            print(output)
    else:
        print(f"\n[*] NTLM Relay Detection Report")
        print(f"[*] Scan Time: {all_results['scan_time']}")
        print(f"[*] Events Analyzed: {all_results['total_events_parsed']}")
        print(f"[*] NTLM Network Logons: {all_results['ntlm_logon_events']}")

        if not inventory:
            print("\n[!] WARNING: No host inventory provided (--inventory).")
            print("    IP-hostname mismatch detection is DISABLED.")
            print("    Provide a CSV with hostname,ip_address columns for full detection.")

        print_findings(mismatch_findings, "IP-Hostname Mismatch Detection")
        print_findings(rapid_auth_findings, "Rapid Multi-Host Authentication")
        print_findings(ntlmv1_findings, "NTLMv1 Downgrade Detection")
        print_findings(machine_relay_findings, "Machine Account Relay (Coercion)")
        print_findings(anon_findings, "Anonymous NTLM Logon Analysis")

        print(f"\n{'=' * 80}")
        print(f"  SUMMARY")
        print(f"{'=' * 80}")
        s = all_results["summary"]
        print(f"  Total Findings:  {s['total_findings']}")
        print(f"  Critical:        {s['critical']}")
        print(f"  High:            {s['high']}")
        print(f"  Medium:          {s['medium']}")
        print(f"  Low:             {s['low']}")

        if s["critical"] > 0:
            print(f"\n  [!!!] CRITICAL findings detected -- NTLM relay attack likely in progress!")
            print(f"        Recommended: Isolate source IPs, reset affected credentials,")
            print(f"        enforce SMB/LDAP signing, disable LLMNR/NBT-NS.")

        if args.output:
            with open(args.output, "w") as f:
                json.dump(all_results, f, indent=2, default=str)
            print(f"\n[*] Full results written to: {args.output}")


if __name__ == "__main__":
    main()
Keep exploring